apparmor="DENIED" operation="open" profile="snap.ffmpeg.ffprobe"

1

I’m getting thousands of following entries while accessing videos with airsonic-advanced on /media/sda/…

~$ dmesg -T

[sáb dic 12 18:08:34 2020] audit: type=1400 audit(1607792915.461:584): apparmor="DENIED" operation="open" profile="/snap/snapd/10492/usr/lib/snapd/snap-confine" name="/etc/pop-os/os-release" pid=42742 comm="snap-confine" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[sáb dic 12 18:08:34 2020] audit: type=1400 audit(1607792915.461:585): apparmor="DENIED" operation="open" profile="snap-update-ns.ffmpeg" name="/etc/pop-os/os-release" pid=42781 comm="5" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[sáb dic 12 18:08:34 2020] audit: type=1400 audit(1607792915.465:586): apparmor="DENIED" operation="open" profile="snap.ffmpeg.ffprobe" name="/etc/pop-os/os-release" pid=42742 comm="snap-exec" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[sáb dic 12 18:08:34 2020] audit: type=1400 audit(1607792915.601:587): apparmor="DENIED" operation="open" profile="/snap/snapd/10492/usr/lib/snapd/snap-confine" name="/etc/pop-os/os-release" pid=42794 comm="snap-confine" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[sáb dic 12 18:11:23 2020] kauditd_printk_skb: 74 callbacks suppressed
[sáb dic 12 18:11:23 2020] audit: type=1400 audit(1607793085.188:662): apparmor="DENIED" operation="open" profile="/snap/snapd/10492/usr/lib/snapd/snap-confine" name="/etc/pop-os/os-release" pid=45238 comm="snap-confine" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[sáb dic 12 18:11:23 2020] audit: type=1400 audit(1607793085.192:663): apparmor="DENIED" operation="open" profile="snap.ffmpeg.ffmpeg" name="/etc/pop-os/os-release" pid=45238 comm="snap-exec" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

~$ ll /var/lib/snapd/apparmor/profiles

-rw-r--r-- 1 root root 26941 dic 12 14:55 snap-confine.snapd.10492
-rw-r--r-- 1 root root 41078 dic 12 15:02 snap.ffmpeg.ffmpeg
-rw-r--r-- 1 root root 41078 dic 12 15:02 snap.ffmpeg.ffplay
-rw-r--r-- 1 root root 41081 dic 12 15:02 snap.ffmpeg.ffprobe
-rw-r--r-- 1 root root  5745 dic 12 14:56 snap-update-ns.ffmpeg

~$ snap version

snap    2.48.1
snapd   2.48.1
series  16
pop     20.04
kernel  5.8.0-7630-generic

~$ snap list

Nombre  Versión   Rev    Seguimiento    Editor        Notas
core18  20200929  1932   latest/stable  canonical✓    base
ffmpeg  4.3.1     1286   latest/edge    snapcrafters  -
snapd   2.48.1    10492  latest/stable  canonical✓    snapd

~$ snap connections

Interfaz         Enchufe                 Ranura            Notas
audio-playback   ffmpeg:audio-playback   :audio-playback   -
desktop          ffmpeg:desktop          :desktop          -
home             ffmpeg:home             :home             -
network          ffmpeg:network          :network          -
network-bind     ffmpeg:network-bind     :network-bind     -
opengl           ffmpeg:opengl           :opengl           -
optical-drive    ffmpeg:optical-drive    :optical-drive    -
pulseaudio       ffmpeg:pulseaudio       :pulseaudio       -
removable-media  ffmpeg:removable-media  :removable-media  manual
wayland          ffmpeg:wayland          :wayland          -
x11              ffmpeg:x11              :x11              -

~$ systemctl list-unit-files | grep snap

snap-core18-1885.mount                     enabled         enabled
snap-core18-1932.mount                     enabled         enabled
snap-ffmpeg-1286.mount                     enabled         enabled
snap-snapd-10238.mount                     enabled         enabled
snap-snapd-10492.mount                     enabled         enabled
snapd.apparmor.service                     enabled         enabled
snapd.autoimport.service                   enabled         enabled
snapd.core-fixup.service                   enabled         enabled
snapd.failure.service                      static          enabled
snapd.recovery-chooser-trigger.service     enabled         enabled
snapd.seeded.service                       enabled         enabled
snapd.service                              enabled         enabled
snapd.snap-repair.service                  static          enabled
snapd.system-shutdown.service              enabled         enabled
snapd.socket                               enabled         enabled
snapd.snap-repair.timer                    enabled         enabled

Dude, no idea how to get rid off these entries or allow apparmor to be less restrictive with snap.ffmpeg.

2

pop-os seems to hack up the standard location of the os-release file (i’d guess they make it a symlink to /etc/pop-os/os-release) unlike every other linux distro …

so i guess you should either file a bug in popos that they respect the standardized file location for os-release or file a bug against snapd to add an exception for that non-standard use of the os-release file.

3

@ogra I think your first suggestion looks like is going directly to the root of the problem. Meanwhile I upgraded to 20.10 in pop os and installed ffmpeg (4.3.1). Later on I will reinstall snap again and check. Thanks!

1 Like
4

Actually, as mentioned in another post, according to freedesktop.org /etc/os-release and /usr/lib/os-release can be links to other files, so /etc/pop-os/os-release is perfectly valid if it follows the file format of os-release.

I believe part of the problem here is that /snap/core/current/etc/apparmor.d/usr.lib.snapd.snap-confine.real overrides /etc/apparmor.d/usr.lib.snapd.snap-confine.real. I have modified the /etc/apparmor.d/usr.lib.snapd.snap-confine.real to include /etc/pop-os/ in the following line: # Allow reading the os-release file (possibly a symlink to /usr/lib). /{etc/,usr/lib/,etc/pop-os/}os-release r,

Reloaded, even rebooted, but still get the same DENIED message. The file in /snap/core is read-only (container), so modifying it isn’t possible (and I don’t have time to go researching how to make a new snap core to fix this).